-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Renew CA #936
Comments
afaik the openvpn ca file/option can take more than one CAs , if this is the case ... one solution for expiring CA would be to not issue new client/server certificates once is about to expire and the new issued leaf certificate would exceed the life span of the CA at that ponint , just create a new CA and carry on |
This is authoritative information, provided by David Sommerseth, OpenVPN Inc: |
Because renewing a CA is more complicated than building a new CA, Easy-RSA does not renew the CA. The recommended procedure is to use:
Where But I must draw your attention to: #941 |
Thanks for the updates @TinCanTech I just want to reiterate that my solution works as expected, tested a couple of weeks ago Add the new CA certificate in the list of This way both old and new clients can authenticate until all the old certificates expire and the OLD CA is decommissioned |
@aduzsardi Your approach is acceptable, I shall take another look at this. Thank you for your persistence |
EasyRSA v3.2, simple renewal of an expired CA certificate: |
For command |
You want to renew your CA and your OpenVPN keeps on working.
This is not possible.
All of your clients require the renewed CA certificate.
The renewed CA certificate MUST be forwarded to your clients, there is no alternative.
Source: #379 (comment)
Linked-to: #609 (comment)
Even after considering this absolute fact, EasyRSA has the option to offer a minor, secure shortcut.
The question:
Can EasyRSA make renewing your old CA easy and Secure ?
Maybe ...
The text was updated successfully, but these errors were encountered: